As mentioned by others you need to define what is inactive. Some folks will
simply say if an account has a password expired more than x days is
inactive, for others that may not be optimal. Some folks say if the account
hasn't been logged into in more than X days is inactive. If you have
Exchange
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO. Scripts, etc can also be used successfully.
Al
On 4/19/06, Myke [EMAIL PROTECTED] wrote:
hi
one of the tools that could help you with that is OLDCMP from Joeware.net. But
first you need to define for your own what the defintion is of period of
inactivity and how long.
Search the archives as previous threads are available that also mention the
deprovisioning of accounts.
cheers,
Third-party.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP -
What criteria are you using to determine that a user is inactive?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myke
Sent: Wednesday, April 19, 2006 8:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] automatic account disable
hi guys,
it's
15:52To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] automatic
account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this
pretty easily. Joeware tools are better (http://www.joeware.net ) for this task IMHO.
Scripts, etc
Myke,
You could write a script to do such a thing I suppose. Something to the effect of if lastLogonTimeStamp value is greater than 180 days, disable account kind of thing.
We utilize MIIS in house for this and for SOX deactivations, but it is certainly something you could write a script or a
MulnickSent: 19 April 2006 15:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
It's possible. What's your criteria?
DSQUERY, DSMOD are two tools that are touted as being able to do this pretty easily. Joeware tools are better (
http://www.joeware.net
: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Wed 4/19/2006 1:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] automatic account disable
LOL. You're right, it is often advisable to disable first. I got caught up
in the moment ;)
Myke, there was a long conversation about
inactivity if not by lastlogon or lastlogontimestamp?
Thanks,
Jef
Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policy
: Wed 4/19/2006 2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] automatic account disable
I'm curious, how would you show activitity other than the last time the user
authenticated? Since disabling the account would only affect the ability to
authenticate (not including any
Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :)
Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :)
Thanks,
Jef
Subject: RE: [ActiveDir] automatic account disable Date
other ways you would show account inactivity if notby lastlogon or lastlogontimestamp?Thanks,
Jef Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From:
[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Still, there is nothing
13 matches
Mail list logo